On Jul 8, 2006, at 5:38 PM, Tino Wildenhain wrote:

Jim Fulton wrote:

You mean auditing. Testing would not help imho. Testing
only checks if expected behavior still works. And nobody
expects the spanish inquisiton *wink* ;)

You can test that trying to do fil-inclusion fails.

For example if I'd were the one who would have written
the naive test - I would not have known a file inclusion
feature even exists or is supposed to be exposed to
reST. So my test would not have tested it. So we had
perfectly tests for all the reST things we want and
expect but the hole would exist anyway.

I agree that testing is not enough if you don't know what to
test for.  It's sad that whoever enabled this didn't bother
to read the docutils documentation which documents the feature
and even provides warning about it's security issues:

http://docutils.sourceforge.net/docs/ref/rst/ directives.html#including-an-external-document-fragment


Jim Fulton                      mailto:[EMAIL PROTECTED]                Python 
CTO                             (540) 361-1714                  
Zope Corporation        http://www.zope.com             http://www.zope.org

Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Reply via email to